As we navigate the threat landscape of 2026, the disruption of major cartels like LockBit and BlackCat has left a vacuum that is being aggressively filled by new, agile players. Leading the charge is INC, a Ransomware-as-a-Service (RaaS) operation that has matured from a nascent project into one of the most prolific cybercrime groups active today. With 830+ claimed victims since August 2023, INC represents a clear and present danger to organizations of all sizes.
Unlike generic malware campaigns, INC operates on a mature affiliate model. This means the initial access vectors may vary—ranging from exploited vulnerabilities to valid credential usage—but the core payload remains consistent: aggressive encryption and double-extortion tactics. Defenders cannot rely on signature-based detection alone; we must pivot to behavioral analysis and robust credential hygiene to stem the tide of this encryption-based menace.
Technical Analysis
Threat Overview: INC is a RaaS platform providing encryption tools to a network of affiliates. The group has exploited the fragmentation of the ransomware ecosystem following law enforcement actions against competitors, absorbing affiliates seeking new revenue streams.
Affected Products & Platforms: While the specific source intelligence does not cite a singular software vulnerability (CVE), INC affiliates are known to target heterogeneous environments. The payload is capable of encrypting Windows and Linux systems, including virtualized infrastructure and NAS devices.
Attack Chain & Exploitation Status:
- Initial Access: Affiliates typically gain access through unpatched external services, compromised credentials (phishing or info-stealers), or purchased initial access brokers.
- Execution: Upon gaining a foothold, operators move laterally, often using remote management tools (e.g., RDP, Splashtop) to deploy the INC payload.
- Impact: The payload employs strong encryption algorithms to lock files. Critically, it attempts to delete Volume Shadow Copies to prevent native system recovery, a hallmark of modern ransomware.
- CVE Status: This specific advisory focuses on the activity and success of the INC operation rather than a specific zero-day. Defenders should assume that any unpatched 2025/2026 vulnerability (e.g., in VPN appliances or edge devices) serves as a potential doorway for INC affiliates.
Detection & Response
Given the lack of a specific CVE in this report, detection relies heavily on identifying the behavioral precursors to encryption—the "hands-on-keyboard" activities and the payload's attempts to cripple system recovery.
Sigma Rules
---
title: INC Ransomware Prep - Shadow Copy Deletion
id: 92a3f1c8-1b4d-4d67-bc12-3e5a8f901234
status: experimental
description: Detects attempts to delete Volume Shadow Copies, a common step taken by INC ransomware to prevent recovery.
references:
- https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2026/06/18
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\vssadmin.exe'
- '\wmic.exe'
CommandLine|contains:
- 'delete shadows'
- 'shadowcopy delete'
condition: selection
falsepositives:
- Legitimate system administration tasks
level: high
---
title: INC Ransomware Prep - System Log Clearing
id: 82b4e1c9-2c5d-4e12-ac34-4f6b9g012345
status: experimental
description: Detects the use of wevtutil to clear system logs, often performed by ransomware operators to hide tracks.
references:
- https://attack.mitre.org/techniques/T1070/
author: Security Arsenal
date: 2026/06/18
tags:
- attack.defense_evasion
- attack.t1070.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\wevtutil.exe'
CommandLine|contains: 'cl'
condition: selection
falsepositives:
- Admin scripts clearing logs for space
level: medium
---
title: INC Ransomware - BCD Recovery Modification
id: 73c5d2a0-3d6e-5f23-bd45-5g7c0h123456
status: experimental
description: Detects modification of boot configuration to disable recovery, a tactic observed in INC encryptors.
references:
- https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2026/06/18
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\bcdedit.exe'
CommandLine|contains:
- 'recoveryenabled no'
- 'ignoreallfailures'
condition: selection
falsepositives:
- Rare administrative boot configuration changes
level: high
KQL (Microsoft Sentinel)
// Hunt for ransomware precursor activities: Shadow Copy Deletion
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessVersionInfoOriginalFileName in ("vssadmin.exe", "wmic.exe") or FileName in ("vssadmin.exe", "wmic.exe"))
| where ProcessCommandLine has_any ("delete shadows", "shadowcopy delete")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend TS = 1
Velociraptor VQL
-- Hunt for suspicious ransomware precursor processes
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "vssadmin"
AND CommandLine =~ "delete"
OR Name =~ "wevtutil"
AND CommandLine =~ "cl"
Remediation Script (PowerShell)
# INC Ransomware Hardening Script
# Run this on critical endpoints to verify recovery mechanisms are active
Write-Host "Checking System Recovery Configuration..." -ForegroundColor Cyan
# 1. Check if VSS Service is Running
$vssService = Get-Service -Name VSS -ErrorAction SilentlyContinue
if ($vssService.Status -ne 'Running') {
Write-Host "[WARNING] Volume Shadow Copy Service is not Running. Start it manually." -ForegroundColor Red
} else {
Write-Host "[OK] Volume Shadow Copy Service is Running." -ForegroundColor Green
}
# 2. Check recent Shadow Copies (Ensure they exist)
try {
$shadows = vssadmin list shadows
if ($shadows -match "No shadow copies") {
Write-Host "[WARNING] No Shadow Copies found. System is vulnerable to data loss." -ForegroundColor Red
} else {
Write-Host "[OK] Shadow Copies exist." -ForegroundColor Green
}
} catch {
Write-Host "[ERROR] Could not query VSS." -ForegroundColor Red
}
# 3. Check for 'recoveryenabled' status (simple check)
$bcdStatus = bcdedit /enum | Select-String "recoveryenabled"
if ($bcdStatus -like "*no*") {
Write-Host "[CRITICAL] Boot Recovery is DISABLED. Re-enable immediately using: bcdedit /set {default} recoveryenabled yes" -ForegroundColor Red
} else {
Write-Host "[OK] Boot Recovery appears enabled." -ForegroundColor Green
}
Write-Host "Remediation check complete."
Remediation
- Isolate and Contain: If INC activity is suspected, immediately isolate affected hosts from the network to prevent lateral movement. INC affiliates aggressively move to domain controllers.
- Credential Reset: Assume the attacker has valid credentials. Force a password reset for all privileged accounts and service accounts used on affected segments, specifically enforcing MFA re-enrollment.
- Verify Backups: This threat specializes in encryption. Verify that offline backups are immutable and have not been touched. Test a restore procedure immediately.
- Patch Edge Infrastructure: While no specific CVE is cited in this report, INC affiliates exploit unpatched internet-facing appliances. Ensure all VPNs, firewalls, and remote access tools are patched to the latest 2026 firmware.
- Disable RDP (if unused): As a primary lateral movement vector for RaaS groups, restrict RDP access strictly via VPN or Gateway, and disable it directly from the internet.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.